[Dnssec-trigger] resolv.conf content after dnssec-trigger stop
wouter at nlnetlabs.nl
Mon Nov 25 13:39:59 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Thanks for this and the one-more-line modification.
I put it into the fedora/ subdirectory, but if you want it could be
elsewhere (the main dir and installed somewhere?).
On 11/21/2013 05:09 PM, Tomas Hozza wrote:
> I finished and successfully tested the script for backing-up and
> restoring resolv.conf. Its behaviour was consulted with QE and it
> works as follows:
> 1. if called as "dnssec-trigger-resolvconf-handle.sh backup" - if
> NM is configured with "dns=none" it copies resolv.conf into
> 2. if called as "dnssec-trigger-resolvconf-handle.sh restore" - if
> backup in /var/run/dnssec-trigger exists and NM is configured with
> "dns=none" it will restore the resolv.conf - else it will obtain
> current list of nameservers and writes them into resolv.conf until
> NM rewrites it.
> I'm working with systemd guys on the right systemd.service file,
> because systemd had some problems with creating transaction. But
> this is for sure doable, since I have couple of other ways how to
> make it work.
> I'm CCing also dnssec-trigger mailing-list, since I think such
> script should be included in the upstream repo if agreed that it is
> Tomas Hozza
> ----- Original Message -----
>> [ ExecStop script ]
>> Good idea. Note that an unrelated bug sometimes causes
>> dnssec-triggerd to write a resolv.conf without any nameserver
>> entry. I've filed that as bug upstream and they confirmed it. We
>> might need to poke them a few times to get it fixed though.
>>>> I was recently thinking about the situation that happens if
>>>> you stop dnssec-trigger on the system. dnssec-trigger will
>>>> leave most probably (depending on the state it was in)
>>>> "127.0.0.1" in resolv.conf. This can cause a really
>>>> frustrating user experience, since NM will not write DNS
>>>> servers IP addresses into it until next network change.
>>>> Currently there is no way how to tell NM to write the
>>>> configuration into the resolv.conf besides restarting it.
>> This should get folded into a NM plugin, so NM can fully control
>> resolv.conf and we can restrict selinux to only allow NM to write
>> /etc/resolv.conf. It would also remove the need for making it
>> immutable. Problem is, we are all busy people....
>> _______________________________________________ dnssec-trigger
>> mailing list dnssec-trigger at NLnetLabs.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the dnssec-trigger